You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is an edge case when using email as the authentication method as well as email verification. The server will crash if the user hasn't verified the email but a new registration with that same email is tried.
Steps to reproduce:
Set the following allauth settings
ACCOUNT_AUTHENTICATION_METHOD="email"# username, email or username_emailACCOUNT_USER_MODEL_USERNAME_FIELD=NoneACCOUNT_EMAIL_REQUIRED=True# Needs to be True to use email as the auth methodACCOUNT_USERNAME_REQUIRED=FalseACCOUNT_UNIQUE_EMAIL=TrueACCOUNT_EMAIL_VERIFICATION="mandatory"# "none", "optional", "mandatory"
Register a new email
Try to register the same email without first validating it
Analysis
I found that this edge case is not handled in the serializer:
defvalidate_email(self, email):
email=get_adapter().clean_email(email)
ifallauth_account_settings.UNIQUE_EMAIL:
ifemailandEmailAddress.objects.is_verified(email):
raiseserializers.ValidationError(
_("A user is already registered with this e-mail address."),
)
returnemail
The validation error for unique email is only raised if the account has been verified.
defvalidate_email(self, email):
email=get_adapter().clean_email(email)
ifallauth_account_settings.UNIQUE_EMAIL:
ifemailandEmailAddress.objects.is_verified(email):
raiseserializers.ValidationError(
_("A user is already registered with this e-mail address."),
)
else:
query=EmailAddress.objects.filter(email__iexact=email)
ifquery.exists():
email_address=query.first()
ifemail_address.user.has_usable_password():
raiseserializers.ValidationError(
_("A user is already registered with this e-mail address but hasn't been verified their email yet."),
)
returnemail
Note that in the meantime users can implement this fix by creating a custom RegisterSerializer as explained in the docs.
Just ran into this issue myself.
Though I am configuring with ACCOUNT_EMAIL_VERIFICATION ="optional"
but I think your fix will work in this use-case as well.
There is an edge case when using email as the authentication method as well as email verification. The server will crash if the user hasn't verified the email but a new registration with that same email is tried.
Steps to reproduce:
allauth
settingsAnalysis
I found that this edge case is not handled in the serializer:
The validation error for unique email is only raised if the account has been verified.
Here's the proposed fix in #618:
The wording is not the best and can be changed.
Tested and working:
Opened #618
The text was updated successfully, but these errors were encountered: